Just say no

On Friday December 16th 2016, I had a routine eye test. The optician noticed swelling on the optic discs at the back of my eye, and I was dispatched to the Manchester Eye Hospital to attend their Emergency Eye Clinic. This is basically A&E for eyes, a mix of swollen eyelids, sudden blindness and people who should have just gone to an optician. I arrived at 2.45pm, and fairly quickly, I was put in the ‘people who need to be seen’ pile. However, this meant waiting for the next available doctor, and like any A&E, the wait was long.

At 5.30, having waited in a dull holding area (with the files of other patients unattended and clearly visible), I was seen by a doctor. At this point, I was bored and worried, desperate to go home but desperate to find out what was going on in my head. Swollen discs can mean all sorts of things, you see, but one of the things Google told me that they can mean is Brain Tumour.

The doctor was terrible. He examined my eyes, pulled faces, and asked lots of questions about the medical history of my family without explaining the significance of any of them. In the middle of that barrage of questions was this one: ‘Any history of tumours in your family?’. Of course, having sat there for nearly three hours with only Google Searches That Spell Imminent Death for company, this question fired out of nowhere was just perfect. After the obligatory disappearance act to consult with a more senior doctor, I was told that they wanted to scan my brain in case “God Forbid” there was a tumour in there.

I was shunted back into another holding area, then at around 7pm a very sympathetic nurse inserted a cannula into my arm so that they could put a dye into my bloodstream when scanning me (a process that never actually happened) and explained ‘We’d like to do a CT scan’. She told me where to go, and because I was evidently in a bad place mentally, made clear that if I wanted to go for a walk before the scan, that would be fine. At length (and after it became clear that the people doing the CT scan weren’t actually expecting me), I had the scan. Several hours later, they decided I had high blood pressure and I went home at 10.45pm.

Looking at the whole thing as a Data Protection professional rather than a patient, the thing that leapt out at me at the time were the boxes of paper records left unattended. During the day, the holding area I was sitting in is very busy, with at least one member of staff behind the desk able to prevent access. When I was there on the Friday evening, there were long stretches when I could have got behind the desk and read the files, and nobody would have known. It’s an open question as to whether a patient left alone with unattended medical records is a ‘personal data breach’ that would have to be reported to the Information Commissioner.

In retrospect, there is a more interesting question. Carrying out a CT scan is processing personal data – it involves the creation of a scan of the patient’s brain which is plainly sensitive personal data (under GDPR, special categories data). So, what condition did Manchester Eye Hospital have for processing my personal data, and did they provide me with adequate fair processing?

Here’s the thing: they didn’t have my consent and I suspect they think they did. They probably didn’t have Data Protection Act consent, but they definitely didn’t have GDPR standard consent. I’m sure many readers will disagree. Surely my lying down to have the scan is a “clear affirmative action”, signifying my agreement to the processing?

Well, it’s not that simple. First, there is the lack of fair and transparent processing. I was told why they wanted to do the scan, but I wasn’t told who would get access to it (which in today’s NHS could be Google), how long it would be kept for, what legal basis they were relying on and so on. Even if the DPA doesn’t demand this now, it’s hard to argue that the processing would be fair unless I was told these things. Moreover, without any fair processing, any consent I gave would not be informed and specific.

The second problem is that my consent was not freely given. I was tired after hours of sitting around, I had been given limited information by a doctor with poor communication skills and frankly I was scared that I had a brain tumour. I hadn’t eaten and or drunk very much, and my phone was dead so I couldn’t discuss it with anyone else. I do not believe I had the capacity to freely give my consent to have my brain scanned. At no point did anyone say ‘Do you consent to having your brain scanned?’, it was couched in passive language: we would like to do this, and if I didn’t object, my consent was assumed.

Then there is the power imbalance – people like to talk about ‘Our NHS’ as if we all collectively own it, but that’s bullshit. Surrounded – outnumbered – by doctors and nurses who want to do something, it’s hard to say no. Indeed, I am aware of cases where a person who refuses to do what the doctors want have been sectioned. Admittedly, as a white, middle-aged, middle-class man, I’m probably less likely to be subjected to this, but who knows. What would they have done if I had said no?

In this context, recital 43 of the GDPR is worth reading:

consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation

I think the power imbalance between the assembled medical staff and me made it impossible for me to say ‘no’, especially when considering the specifics of the situation. I had gone from a routine eye appointment to a request for a brain scan to find out if I had a brain tumour. My ability to make decisions was fried. A few months later, I got up at 7am on a Sunday to drive to Trafford Hospital where some improbably chirpy technicians did an MRI on my head. That interaction was certainly closer to consent than the CT scan, but strictly speaking, nobody asked my consent. It was a lot better, but by no means the only way in which the NHS processes data.

Since my diagnosis of high blood pressure, I have spent an afternoon in a specialist diagnostic ward in one hospital, had the above MRI in another, had separate MRIs and ultrasound scans on my kidneys, a shedload of blood tests and monthly appointments at my GP. My GP aside (who is excellent at explaining everything), the standard of fair processing in all my interactions with the NHS since last December has been lamentable. I don’t know who gets access to my data, I don’t know what for, and nobody has told me how to find out. There may be a privacy notice somewhere on a website but I don’t know where it is and nobody told me how to find it.

I respect and trust my GP. Every nurse I have met, even those briefly sticking a needle in my arm, has been exemplary. The team at the ARMU at Wythenshawe Hospital are superb, both at medicine and communication (in fact, every experience I have had there has been good). But for all the fact that I can be a troll sometimes, I have never caused as much hostility and frustration as when I give my honest opinion about my experiences in the NHS. People are angry with me if I speak my mind. Criticising the NHS is modern-day blasphemy. I’m only writing this blog now because it looks like my eyes are getting better and I probably haven’t got a brain tumour (although the fact that the hospital lost the brain MRI for several months because of the virus infection in May dents my confidence in this). I worry about pointing out the Eye Hospital’s failings because I do have to go back there. Do I want to be treated by people who know that I have criticised them online? This is the power imbalance in a nutshell.

So what’s my point?

The GDPR is built on an improved model of Data Protection – organisations should be transparent, and wherever possible, subjects should be empowered. One of the most important elements in this relationship is the proper treatment of consent. Ironically, given the number of ill-informed articles claiming that GDPR requires consent for data processing, a significant effect of GDPR should be to reduce reliance of consent. Organisations, especially those like the NHS who purport to rely on it, should be much more honest with people. Sometimes you don’t have a choice at all and a thing is going to happen whether you like it or not (HELLO, ROYAL FREE HOSPITAL). Sometimes, there isn’t a real choice – ask me whether I want you to find out whether I have a brain tumour, and honestly, the answer’s no. Rationally, the answer’s probably, ‘OK then’, but it’s not much of a choice and in my case, the question wasn’t even posed.

The NHS is going to breach the GDPR as much in spirit as in practice if it continues in its dubious mantras of implied consent and ‘no decision about me without me’. The fact that a person doesn’t have to be physically forced into the scanner does not mean that they have consented, especially if they haven’t been told clearly and directly how that data will be used. In many situations throughout the NHS, medical professionals think they have consent, tell each other they have consent and they don’t. There are other options in the GDPR, of course, including a rock-solid legal condition for special categories data for the purposes of medical treatment and diagnosis. But many people in the NHS still think consent is their byword and it really isn’t.

For one thing, secondary uses for analysis and research either have to stop, or a much more open and transparent process has to be developed to contact people directly, either to be transparent or, if that’s the basis that being relied on, to seek consent. For all my many scans and blood tests since last December, I have to assume that none of them will ever be used for any purpose other than the direct diagnosis and treatment of my condition because I have never been given a hint that anything else will happen. But is that true?

For another, if the NHS is going to get to grips with GDPR philosophically, it has to be much more honest about the flawed nature of the consent it thinks it’s getting. For years, NHS staff have told me on training courses that a patient rolling up their sleeve is evidence of ‘implied consent’ to take blood (and by further implication, process the data that flows from the test). In fact, what they have at best is inferred consent; and with the power imbalance, possibly not even that.

We know for certain that the Information Commissioner will not tackle this issue because they are terrified of challenging such fundamental issues. Elizabeth Denham’s trumpeting of a slapped-wrist undertaking for the Royal Free Hospital’s misuse of 1.6 million people’s personal data was, at least for me, the final nail in the coffin of her credibility. As a friend of mine said, the chief role of each new Commissioner is make the last one seem better. I am not predicting fines or enforcement of any kind; it won’t happen. But the best thing about the GDPR is its recognition that we are human beings who deserve respect and autonomy. My experience of the NHS in Manchester is far from achieving that.

Comments

  1. I work in IG in the NHS and the central and valid point you make (at least for me) is the issue about “implied consent”. Whether the NHS knows it or not the vast majority of the processing that it undertakes is actually relying on the medical purpose condition with regards to legitimate processing under Data Protection legislation. As any DP practitioner knows there is no such thing as implied consent with regards to processing sensitive personal data under DPA (never mind GDPR) – It must be explicit!

    The problem in my view is that in the NHS there has been a conflation of the concept of consent in the field of Data Protection and the Duty of Confidentiality. Implied consent is accepted as a legitimate basis to share medical data about a patient (eg between primary and secondary care organisations) without breaching the duty of confidence owed, as long as the data is only shared for the purpose of providing care for that patient and that they are made aware of it (and given the opportunity to dissent). However by some process of osmosis the implied consent used for Duty of Confidence is thought as a legitimate condition for processing under DPA which of course it is not. The problem I think is based on the myth held in the NHS that consent as far as DPA is concerned is a gold standard and superior to the other conditions which of course it is not and for the reasons you mentioned is inappropriate.

    The NHS need to drop the illusion that under DPA and GDPR it will be relying on consent for the bulk of processing sensitive personal data. It needs to be honest with itself and transparent with the patients on this.

    • Thanks very much for this comment – much better informed about the issues than I am, and the final couple of lines hit the nail on the head.

  2. I think Mark has pretty much nailed it with his comments. I will just add some reasons, which are not excuses, as these issues *do* need resolution. Reason 1: NHS staff get confused about consent just as much as the rest of the general public, because they are the general public. Media mis-reporting is really unhelpful as it also creates unrealistic patient expectations, which contribute to staff anxiety and confusion. Reason 2: IG teams are small. Quite often 2 or 3 people only in an organisation of 1,000s. Reason 3: Training is costly. Annual mandatory training for an org of 5,000 costs in the region of £140K (based on average nurse salary) and is the equivalent in time of nearly 2 full-time members of staff. In an incredibly resource-constrained environment, where there are staff shortages and other mandatory training demands. Making it count and covering ALL the bases is really tough. Reason 4: Professional and training bodies need to be helping us more – not enough on IG for students or in professional revalidation. Mostly confidentiality, nothing on secondary use, little on other info sec and records standards. Reason 5: Insufficient resource. When A&E targets are being breached, no-one gives a **** about IG training compliance tbh. Reason 6: Space constraints for physical files. Having said this, free accessibility to patients/public is inexcusable, they should at least be held in restricted areas not left in clinic rooms/unattended. Reason 7: Did I say insufficient resource?

    I re-iterate: NONE of these are valid excuses, just hopefully some insight into how some of the NHS has ended up in this mess. Some organisations do better than others. Thanks Tim for calling it how you see it, as the more people that do this, the more evidence we have for more resource being needed and greater priority given.

  3. Apologies for double post: also, organisation boundaries in the NHS are often artificial. We need to think in terms of care pathways and describe the legitimate purpose to patients of sharing between professionals in that care pathway – GP, specialist, acute provider, community, etc. Restructuring starting to be measured in RPM not helping.

%d bloggers like this: